16715155a4262990fbfe87f96c345a5418a74ee5a41c7f846876baf48ad8086a

Analysis

max time kernel
150s
max time network
149s
platform
windows7_x64
resource
win7-20231129-en
resource tags

arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
submitted
24/01/2024, 10:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-01-24_33ee39dff7a9021f13494d585033cab3_ryuk.exe
Size

4.1MB
MD5

33ee39dff7a9021f13494d585033cab3
SHA1

a8201b6cb35b0e29eb3e706cd78b5d3541b9e00d
SHA256

16715155a4262990fbfe87f96c345a5418a74ee5a41c7f846876baf48ad8086a
SHA512

cf4f12c62cda3eb78e91a812bf4cca7947b8e844f26a56ad6f3d0faac9fbad8688cea365b44651385554ca4cfedf65fc764ca9cc51bb03f55e66d85d2b16c8ad
SSDEEP

49152:45Viqwo4KxghcyJLBaSbvviqMjfBVrTFZ1bBzP7n1Y8/17MVfw1QSXm+RFvTCr9:4BfrrTFFqRlw6a+LC17DVqFJU

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 64 IoCs

pid	Process
480	Process not Found
2660	alg.exe
2596	aspnet_state.exe
2464	mscorsvw.exe
3044	mscorsvw.exe
2448	mscorsvw.exe
1188	mscorsvw.exe
1592	ehRecvr.exe
2700	ehsched.exe
560	elevation_service.exe
2256	IEEtwCollector.exe
2948	GROOVE.EXE
2156	maintenanceservice.exe
2856	msdtc.exe
2616	msiexec.exe
1660	OSE.EXE
2176	OSPPSVC.EXE
1564	perfhost.exe
1616	locator.exe
2224	snmptrap.exe
1072	vds.exe
1764	vssvc.exe
2688	wbengine.exe
1208	WmiApSrv.exe
1584	wmpnetwk.exe
3036	SearchIndexer.exe
1984	mscorsvw.exe
2808	mscorsvw.exe
2104	mscorsvw.exe
3264	mscorsvw.exe
3376	mscorsvw.exe
3508	mscorsvw.exe
3636	mscorsvw.exe
3764	mscorsvw.exe
3872	mscorsvw.exe
4008	mscorsvw.exe
2664	mscorsvw.exe
3160	mscorsvw.exe
3240	mscorsvw.exe
3168	mscorsvw.exe
3464	mscorsvw.exe
3592	mscorsvw.exe
3676	mscorsvw.exe
3712	mscorsvw.exe
1636	mscorsvw.exe
2064	mscorsvw.exe
4056	mscorsvw.exe
2676	mscorsvw.exe
2912	mscorsvw.exe
3148	mscorsvw.exe
3312	mscorsvw.exe
3308	dllhost.exe
3132	mscorsvw.exe
4032	mscorsvw.exe
3528	mscorsvw.exe
3568	mscorsvw.exe
3848	mscorsvw.exe
1804	mscorsvw.exe
4036	mscorsvw.exe
1276	mscorsvw.exe
1380	mscorsvw.exe
2124	mscorsvw.exe
1168	mscorsvw.exe
1664	mscorsvw.exe

Loads dropped DLL 53 IoCs

pid	Process
480	Process not Found
480	Process not Found
480	Process not Found
480	Process not Found
480	Process not Found
480	Process not Found
480	Process not Found
2616	msiexec.exe
480	Process not Found
480	Process not Found
480	Process not Found
480	Process not Found
480	Process not Found
768	Process not Found
480	Process not Found
3848	mscorsvw.exe
3848	mscorsvw.exe
4036	mscorsvw.exe
4036	mscorsvw.exe
1380	mscorsvw.exe
1380	mscorsvw.exe
1168	mscorsvw.exe
1168	mscorsvw.exe
3316	mscorsvw.exe
3316	mscorsvw.exe
3692	mscorsvw.exe
3692	mscorsvw.exe
3936	mscorsvw.exe
3936	mscorsvw.exe
4000	mscorsvw.exe
4000	mscorsvw.exe
4064	mscorsvw.exe
4064	mscorsvw.exe
3256	mscorsvw.exe
3256	mscorsvw.exe
3292	mscorsvw.exe
3292	mscorsvw.exe
3068	mscorsvw.exe
3068	mscorsvw.exe
3472	mscorsvw.exe
3472	mscorsvw.exe
3964	mscorsvw.exe
3964	mscorsvw.exe
700	mscorsvw.exe
700	mscorsvw.exe
1900	mscorsvw.exe
1900	mscorsvw.exe
3020	mscorsvw.exe
3020	mscorsvw.exe
1160	mscorsvw.exe
1160	mscorsvw.exe
2888	mscorsvw.exe
2888	mscorsvw.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 25 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\SearchIndexer.exe	2024-01-24_33ee39dff7a9021f13494d585033cab3_ryuk.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7B2238AACCEDC3F1FFE8E7EB5F575EC9	mscorsvw.exe
File opened for modification	C:\Windows\system32\IEEtwCollector.exe	mscorsvw.exe
File opened for modification	C:\Windows\System32\alg.exe	2024-01-24_33ee39dff7a9021f13494d585033cab3_ryuk.exe
File opened for modification	C:\Windows\system32\IEEtwCollector.exe	2024-01-24_33ee39dff7a9021f13494d585033cab3_ryuk.exe
File opened for modification	C:\Windows\system32\locator.exe	2024-01-24_33ee39dff7a9021f13494d585033cab3_ryuk.exe
File opened for modification	C:\Windows\system32\wbengine.exe	2024-01-24_33ee39dff7a9021f13494d585033cab3_ryuk.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	2024-01-24_33ee39dff7a9021f13494d585033cab3_ryuk.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	2024-01-24_33ee39dff7a9021f13494d585033cab3_ryuk.exe
File opened for modification	C:\Windows\System32\vds.exe	2024-01-24_33ee39dff7a9021f13494d585033cab3_ryuk.exe
File opened for modification	C:\Windows\system32\dllhost.exe	2024-01-24_33ee39dff7a9021f13494d585033cab3_ryuk.exe
File opened for modification	C:\Windows\system32\dllhost.exe	alg.exe
File opened for modification	C:\Windows\system32\IEEtwCollector.exe	alg.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	SearchProtocolHost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\52a5be56fe8faa.bin	alg.exe
File opened for modification	C:\Windows\System32\msdtc.exe	2024-01-24_33ee39dff7a9021f13494d585033cab3_ryuk.exe
File opened for modification	C:\Windows\system32\msiexec.exe	2024-01-24_33ee39dff7a9021f13494d585033cab3_ryuk.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	2024-01-24_33ee39dff7a9021f13494d585033cab3_ryuk.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	alg.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7B2238AACCEDC3F1FFE8E7EB5F575EC9	mscorsvw.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	mscorsvw.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	GROOVE.EXE
File opened for modification	C:\Windows\system32\vssvc.exe	2024-01-24_33ee39dff7a9021f13494d585033cab3_ryuk.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	2024-01-24_33ee39dff7a9021f13494d585033cab3_ryuk.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\FLTLDR.EXE	2024-01-24_33ee39dff7a9021f13494d585033cab3_ryuk.exe
File opened for modification	C:\Program Files\Java\jre7\bin\java-rmi.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\ink\mip.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\{AC76BA86-7AD7-1033-7B44-A90000000001}\Setup.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javafxpackager.exe	2024-01-24_33ee39dff7a9021f13494d585033cab3_ryuk.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\template.exe	2024-01-24_33ee39dff7a9021f13494d585033cab3_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\idlj.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jsadebugd.exe	2024-01-24_33ee39dff7a9021f13494d585033cab3_ryuk.exe
File opened for modification	C:\Program Files\Java\jre7\bin\kinit.exe	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\ink\mip.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\orbd.exe	2024-01-24_33ee39dff7a9021f13494d585033cab3_ryuk.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe	alg.exe
File opened for modification	C:\Program Files\7-Zip\Uninstall.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ielowutil.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javaws.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\reader_sl.exe	2024-01-24_33ee39dff7a9021f13494d585033cab3_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\extcheck.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\rmic.exe	2024-01-24_33ee39dff7a9021f13494d585033cab3_ryuk.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\ink\pipanel.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\MSInfo\msinfo32.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre7\bin\tnameserv.exe	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\reader_sl.exe	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\java-rmi.exe	2024-01-24_33ee39dff7a9021f13494d585033cab3_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javadoc.exe	2024-01-24_33ee39dff7a9021f13494d585033cab3_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jconsole.exe	2024-01-24_33ee39dff7a9021f13494d585033cab3_ryuk.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\EQUATION\EQNEDT32.EXE	alg.exe
File opened for modification	C:\Program Files\Java\jre7\bin\ktab.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\appletviewer.exe	2024-01-24_33ee39dff7a9021f13494d585033cab3_ryuk.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\DW\DW20.EXE	2024-01-24_33ee39dff7a9021f13494d585033cab3_ryuk.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\notification_helper.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OfficeSoftwareProtectionPlatform\OSPPREARM.EXE	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jrunscript.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\ktab.exe	2024-01-24_33ee39dff7a9021f13494d585033cab3_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jstack.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\unpack200.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jre7\bin\ssvagent.exe	2024-01-24_33ee39dff7a9021f13494d585033cab3_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\jp2launcher.exe	2024-01-24_33ee39dff7a9021f13494d585033cab3_ryuk.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\Adobe AIR Application Installer.exe	2024-01-24_33ee39dff7a9021f13494d585033cab3_ryuk.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ExtExport.exe	2024-01-24_33ee39dff7a9021f13494d585033cab3_ryuk.exe
File opened for modification	C:\Program Files\Java\jre7\bin\java.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\ktab.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\servertool.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\notification_helper.exe	2024-01-24_33ee39dff7a9021f13494d585033cab3_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\pack200.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\MSOICONS.EXE	alg.exe
File opened for modification	C:\Program Files\7-Zip\7z.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\kinit.exe	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\ink\TabTip32.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jhat.exe	2024-01-24_33ee39dff7a9021f13494d585033cab3_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroTextExtractor.exe	2024-01-24_33ee39dff7a9021f13494d585033cab3_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\wsimport.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\jp2launcher.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre7\bin\jp2launcher.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javaw.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jre7\bin\java.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\keytool.exe	2024-01-24_33ee39dff7a9021f13494d585033cab3_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\java.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\keytool.exe	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\106.0.5249.119\chrome_installer.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\pack200.exe	2024-01-24_33ee39dff7a9021f13494d585033cab3_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\pack200.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\{AC76BA86-7AD7-1033-7B44-A90000000001}\Setup.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\uninstall\helper.exe	mscorsvw.exe

Drops file in Windows directory 64 IoCs

description	ioc	Process
File created	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.lock	mscorsvw.exe
File created	C:\Windows\Registration\{02D4B3F1-FD88-11D1-960D-00805FC79235}.{C21301E8-B441-47A2-8BD7-2D0947B532E1}.crmlog	dllhost.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index144.dat	mscorsvw.exe
File opened for modification	C:\Windows\ehome\ehRecvr.exe	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index135.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAPB1D2.tmp\Microsoft.VisualStudio.Tools.Office.Contract.v10.0.dll	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index140.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index142.dat	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAPAAC0.tmp\Microsoft.VisualStudio.Tools.Applications.Contract.v10.0.dll	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index13e.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index13f.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index145.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\index146.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\ngenservice_pri3_lock.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\index135.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index13a.dat	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File opened for modification	C:\Windows\ehome\ehsched.exe	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAP495F.tmp\Microsoft.Office.Tools.Common.v9.0.dll	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenservicelock.dat	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index134.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index146.dat	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index13b.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index141.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index141.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAPC8EA.tmp\Microsoft.VisualStudio.Tools.Office.Word.HostAdapter.v10.0.dll	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index145.dat	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index13f.dat	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\index147.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenrootstorelock.dat	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\index13d.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index13d.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\index138.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAPA6DA.tmp\Microsoft.VisualStudio.Tools.Applications.Runtime.v9.0.dll	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\ngenservice_pri1_lock.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\index136.dat	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\index137.dat	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen_service.log	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index137.dat	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index142.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAPC4E5.tmp\Microsoft.VisualStudio.Tools.Office.Outlook.HostAdapter.v10.0.dll	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index134.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index135.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\index13b.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index13c.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index136.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index145.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	mscorsvw.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	mscorsvw.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%windir%\system32\speech\speechux\sapi.cpl,-5556 = "Dictate text and control your computer by voice."	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9911 = "Windows Media Audio shortcut"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	mscorsvw.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%ProgramFiles%\Windows Sidebar\sidebar.exe,-1012 = "Add Desktop Gadgets that display personalized slideshows, news feeds, and other customized information."	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	mscorsvw.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@searchfolder.dll,-32822 = "Everywhere"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	mscorsvw.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\FileGrowthQuantumSeconds = "180"	ehRec.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	mscorsvw.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\MdSched.exe,-4001 = "Windows Memory Diagnostic"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CRLs	mscorsvw.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\LogMaxJobDemoteTimeMs = "5000"	ehRec.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@"%systemroot%\system32\windowspowershell\v1.0\powershell.exe",-111 = "Performs object-based (command-line) functions"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	mscorsvw.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\mycomput.dll,-300 = "Computer Management"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CTLs	mscorsvw.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@gameux.dll,-10103 = "Internet Spades"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\Certificates	mscorsvw.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\gameux.dll,-10303 = "Enjoy the classic strategy game of Chess. Play against the computer, or compete against a friend. The winner is the first to capture the opponent’s king."	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\wsecedit.dll,-718 = "Local Security Policy"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CTLs	mscorsvw.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@gameux.dll,-10061 = "Spider Solitaire"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CRLs	mscorsvw.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\MCTRes.dll,-200017 = "GobiernoUSA.gov"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@gameux.dll,-10059 = "Mahjong Titans"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	mscorsvw.exe

Suspicious behavior: EnumeratesProcesses 26 IoCs

pid	Process
1120	ehRec.exe
2400	2024-01-24_33ee39dff7a9021f13494d585033cab3_ryuk.exe
2400	2024-01-24_33ee39dff7a9021f13494d585033cab3_ryuk.exe
2400	2024-01-24_33ee39dff7a9021f13494d585033cab3_ryuk.exe
2400	2024-01-24_33ee39dff7a9021f13494d585033cab3_ryuk.exe
2400	2024-01-24_33ee39dff7a9021f13494d585033cab3_ryuk.exe
2400	2024-01-24_33ee39dff7a9021f13494d585033cab3_ryuk.exe
2400	2024-01-24_33ee39dff7a9021f13494d585033cab3_ryuk.exe
2400	2024-01-24_33ee39dff7a9021f13494d585033cab3_ryuk.exe
2400	2024-01-24_33ee39dff7a9021f13494d585033cab3_ryuk.exe
2400	2024-01-24_33ee39dff7a9021f13494d585033cab3_ryuk.exe
2400	2024-01-24_33ee39dff7a9021f13494d585033cab3_ryuk.exe
2400	2024-01-24_33ee39dff7a9021f13494d585033cab3_ryuk.exe
2400	2024-01-24_33ee39dff7a9021f13494d585033cab3_ryuk.exe
2400	2024-01-24_33ee39dff7a9021f13494d585033cab3_ryuk.exe
2400	2024-01-24_33ee39dff7a9021f13494d585033cab3_ryuk.exe
2400	2024-01-24_33ee39dff7a9021f13494d585033cab3_ryuk.exe
2400	2024-01-24_33ee39dff7a9021f13494d585033cab3_ryuk.exe
2400	2024-01-24_33ee39dff7a9021f13494d585033cab3_ryuk.exe
2400	2024-01-24_33ee39dff7a9021f13494d585033cab3_ryuk.exe
2400	2024-01-24_33ee39dff7a9021f13494d585033cab3_ryuk.exe
2400	2024-01-24_33ee39dff7a9021f13494d585033cab3_ryuk.exe
2400	2024-01-24_33ee39dff7a9021f13494d585033cab3_ryuk.exe
2400	2024-01-24_33ee39dff7a9021f13494d585033cab3_ryuk.exe
2400	2024-01-24_33ee39dff7a9021f13494d585033cab3_ryuk.exe
2400	2024-01-24_33ee39dff7a9021f13494d585033cab3_ryuk.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	2364	2024-01-24_33ee39dff7a9021f13494d585033cab3_ryuk.exe
Token: SeShutdownPrivilege	2448	mscorsvw.exe
Token: SeShutdownPrivilege	1188	mscorsvw.exe
Token: 33	1652	EhTray.exe
Token: SeIncBasePriorityPrivilege	1652	EhTray.exe
Token: SeDebugPrivilege	1120	ehRec.exe
Token: 33	1652	EhTray.exe
Token: SeIncBasePriorityPrivilege	1652	EhTray.exe
Token: SeRestorePrivilege	2616	msiexec.exe
Token: SeTakeOwnershipPrivilege	2616	msiexec.exe
Token: SeSecurityPrivilege	2616	msiexec.exe
Token: SeBackupPrivilege	1764	vssvc.exe
Token: SeRestorePrivilege	1764	vssvc.exe
Token: SeAuditPrivilege	1764	vssvc.exe
Token: SeShutdownPrivilege	2448	mscorsvw.exe
Token: SeBackupPrivilege	2688	wbengine.exe
Token: SeRestorePrivilege	2688	wbengine.exe
Token: SeSecurityPrivilege	2688	wbengine.exe
Token: SeShutdownPrivilege	1188	mscorsvw.exe
Token: 33	1584	wmpnetwk.exe
Token: SeIncBasePriorityPrivilege	1584	wmpnetwk.exe
Token: SeManageVolumePrivilege	3036	SearchIndexer.exe
Token: 33	3036	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	3036	SearchIndexer.exe
Token: SeShutdownPrivilege	2448	mscorsvw.exe
Token: SeShutdownPrivilege	2448	mscorsvw.exe
Token: SeShutdownPrivilege	1188	mscorsvw.exe
Token: SeShutdownPrivilege	1188	mscorsvw.exe
Token: SeDebugPrivilege	2400	2024-01-24_33ee39dff7a9021f13494d585033cab3_ryuk.exe
Token: SeDebugPrivilege	2400	2024-01-24_33ee39dff7a9021f13494d585033cab3_ryuk.exe
Token: SeDebugPrivilege	2400	2024-01-24_33ee39dff7a9021f13494d585033cab3_ryuk.exe
Token: SeDebugPrivilege	2400	2024-01-24_33ee39dff7a9021f13494d585033cab3_ryuk.exe
Token: SeDebugPrivilege	2400	2024-01-24_33ee39dff7a9021f13494d585033cab3_ryuk.exe
Token: SeShutdownPrivilege	2448	mscorsvw.exe
Token: SeShutdownPrivilege	1188	mscorsvw.exe
Token: SeShutdownPrivilege	2448	mscorsvw.exe
Token: SeDebugPrivilege	2660	alg.exe
Token: SeShutdownPrivilege	1188	mscorsvw.exe
Token: SeShutdownPrivilege	2448	mscorsvw.exe
Token: SeShutdownPrivilege	2448	mscorsvw.exe
Token: SeShutdownPrivilege	2448	mscorsvw.exe
Token: SeShutdownPrivilege	1188	mscorsvw.exe
Token: SeShutdownPrivilege	1188	mscorsvw.exe
Token: SeShutdownPrivilege	1188	mscorsvw.exe
Token: SeShutdownPrivilege	2448	mscorsvw.exe
Token: SeShutdownPrivilege	1188	mscorsvw.exe
Token: SeShutdownPrivilege	2448	mscorsvw.exe
Token: SeShutdownPrivilege	1188	mscorsvw.exe
Token: SeShutdownPrivilege	2448	mscorsvw.exe
Token: SeShutdownPrivilege	1188	mscorsvw.exe
Token: SeShutdownPrivilege	2448	mscorsvw.exe
Token: SeShutdownPrivilege	1188	mscorsvw.exe
Token: SeShutdownPrivilege	2448	mscorsvw.exe
Token: SeShutdownPrivilege	1188	mscorsvw.exe
Token: SeShutdownPrivilege	2448	mscorsvw.exe
Token: SeShutdownPrivilege	1188	mscorsvw.exe
Token: SeShutdownPrivilege	2448	mscorsvw.exe
Token: SeShutdownPrivilege	1188	mscorsvw.exe
Token: SeShutdownPrivilege	2448	mscorsvw.exe
Token: SeShutdownPrivilege	2448	mscorsvw.exe
Token: SeShutdownPrivilege	1188	mscorsvw.exe
Token: SeShutdownPrivilege	2448	mscorsvw.exe
Token: SeShutdownPrivilege	1188	mscorsvw.exe
Token: SeShutdownPrivilege	2448	mscorsvw.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
1652	EhTray.exe
1652	EhTray.exe

Suspicious use of SendNotifyMessage 2 IoCs

pid	Process
1652	EhTray.exe
1652	EhTray.exe

Suspicious use of SetWindowsHookEx 21 IoCs

pid	Process
1812	SearchProtocolHost.exe
1812	SearchProtocolHost.exe
1812	SearchProtocolHost.exe
1812	SearchProtocolHost.exe
1812	SearchProtocolHost.exe
3732	SearchProtocolHost.exe
3732	SearchProtocolHost.exe
3732	SearchProtocolHost.exe
3732	SearchProtocolHost.exe
3732	SearchProtocolHost.exe
3732	SearchProtocolHost.exe
3732	SearchProtocolHost.exe
3732	SearchProtocolHost.exe
3732	SearchProtocolHost.exe
3732	SearchProtocolHost.exe
3732	SearchProtocolHost.exe
3732	SearchProtocolHost.exe
3732	SearchProtocolHost.exe
3732	SearchProtocolHost.exe
3732	SearchProtocolHost.exe
3732	SearchProtocolHost.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2364 wrote to memory of 2400	2364	2024-01-24_33ee39dff7a9021f13494d585033cab3_ryuk.exe	28
PID 2364 wrote to memory of 2400	2364	2024-01-24_33ee39dff7a9021f13494d585033cab3_ryuk.exe	28
PID 2364 wrote to memory of 2400	2364	2024-01-24_33ee39dff7a9021f13494d585033cab3_ryuk.exe	28
PID 2364 wrote to memory of 2612	2364	2024-01-24_33ee39dff7a9021f13494d585033cab3_ryuk.exe	64
PID 2364 wrote to memory of 2612	2364	2024-01-24_33ee39dff7a9021f13494d585033cab3_ryuk.exe	64
PID 2364 wrote to memory of 2612	2364	2024-01-24_33ee39dff7a9021f13494d585033cab3_ryuk.exe	64
PID 3036 wrote to memory of 1812	3036	SearchIndexer.exe	51
PID 3036 wrote to memory of 1812	3036	SearchIndexer.exe	51
PID 3036 wrote to memory of 1812	3036	SearchIndexer.exe	51
PID 3036 wrote to memory of 320	3036	SearchIndexer.exe	52
PID 3036 wrote to memory of 320	3036	SearchIndexer.exe	52
PID 3036 wrote to memory of 320	3036	SearchIndexer.exe	52
PID 2448 wrote to memory of 1984	2448	mscorsvw.exe	55
PID 2448 wrote to memory of 1984	2448	mscorsvw.exe	55
PID 2448 wrote to memory of 1984	2448	mscorsvw.exe	55
PID 2448 wrote to memory of 1984	2448	mscorsvw.exe	55
PID 2448 wrote to memory of 2808	2448	mscorsvw.exe	57
PID 2448 wrote to memory of 2808	2448	mscorsvw.exe	57
PID 2448 wrote to memory of 2808	2448	mscorsvw.exe	57
PID 2448 wrote to memory of 2808	2448	mscorsvw.exe	57
PID 2448 wrote to memory of 2104	2448	mscorsvw.exe	59
PID 2448 wrote to memory of 2104	2448	mscorsvw.exe	59
PID 2448 wrote to memory of 2104	2448	mscorsvw.exe	59
PID 2448 wrote to memory of 2104	2448	mscorsvw.exe	59
PID 2448 wrote to memory of 3264	2448	mscorsvw.exe	60
PID 2448 wrote to memory of 3264	2448	mscorsvw.exe	60
PID 2448 wrote to memory of 3264	2448	mscorsvw.exe	60
PID 2448 wrote to memory of 3264	2448	mscorsvw.exe	60
PID 2448 wrote to memory of 3376	2448	mscorsvw.exe	62
PID 2448 wrote to memory of 3376	2448	mscorsvw.exe	62
PID 2448 wrote to memory of 3376	2448	mscorsvw.exe	62
PID 2448 wrote to memory of 3376	2448	mscorsvw.exe	62
PID 2448 wrote to memory of 3508	2448	mscorsvw.exe	65
PID 2448 wrote to memory of 3508	2448	mscorsvw.exe	65
PID 2448 wrote to memory of 3508	2448	mscorsvw.exe	65
PID 2448 wrote to memory of 3508	2448	mscorsvw.exe	65
PID 2448 wrote to memory of 3636	2448	mscorsvw.exe	66
PID 2448 wrote to memory of 3636	2448	mscorsvw.exe	66
PID 2448 wrote to memory of 3636	2448	mscorsvw.exe	66
PID 2448 wrote to memory of 3636	2448	mscorsvw.exe	66
PID 3036 wrote to memory of 3732	3036	SearchIndexer.exe	67
PID 3036 wrote to memory of 3732	3036	SearchIndexer.exe	67
PID 3036 wrote to memory of 3732	3036	SearchIndexer.exe	67
PID 2448 wrote to memory of 3764	2448	mscorsvw.exe	68
PID 2448 wrote to memory of 3764	2448	mscorsvw.exe	68
PID 2448 wrote to memory of 3764	2448	mscorsvw.exe	68
PID 2448 wrote to memory of 3764	2448	mscorsvw.exe	68
PID 2448 wrote to memory of 3872	2448	mscorsvw.exe	101
PID 2448 wrote to memory of 3872	2448	mscorsvw.exe	101
PID 2448 wrote to memory of 3872	2448	mscorsvw.exe	101
PID 2448 wrote to memory of 3872	2448	mscorsvw.exe	101
PID 2448 wrote to memory of 4008	2448	mscorsvw.exe	70
PID 2448 wrote to memory of 4008	2448	mscorsvw.exe	70
PID 2448 wrote to memory of 4008	2448	mscorsvw.exe	70
PID 2448 wrote to memory of 4008	2448	mscorsvw.exe	70
PID 2448 wrote to memory of 2664	2448	mscorsvw.exe	71
PID 2448 wrote to memory of 2664	2448	mscorsvw.exe	71
PID 2448 wrote to memory of 2664	2448	mscorsvw.exe	71
PID 2448 wrote to memory of 2664	2448	mscorsvw.exe	71
PID 2448 wrote to memory of 3160	2448	mscorsvw.exe	72
PID 2448 wrote to memory of 3160	2448	mscorsvw.exe	72
PID 2448 wrote to memory of 3160	2448	mscorsvw.exe	72
PID 2448 wrote to memory of 3160	2448	mscorsvw.exe	72
PID 2448 wrote to memory of 3240	2448	mscorsvw.exe	73

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\2024-01-24_33ee39dff7a9021f13494d585033cab3_ryuk.exe
"C:\Users\Admin\AppData\Local\Temp\2024-01-24_33ee39dff7a9021f13494d585033cab3_ryuk.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2364
- C:\Users\Admin\AppData\Local\Temp\2024-01-24_33ee39dff7a9021f13494d585033cab3_ryuk.exe
  C:\Users\Admin\AppData\Local\Temp\2024-01-24_33ee39dff7a9021f13494d585033cab3_ryuk.exe --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 --annotation=exe=C:\Users\Admin\AppData\Local\Temp\2024-01-24_33ee39dff7a9021f13494d585033cab3_ryuk.exe --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.73 --initial-client-data=0x13c,0x164,0x168,0x160,0x16c,0x140315460,0x140315470,0x140315480
  2⤵
  - Drops file in System32 directory
  - Drops file in Program Files directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2400
- C:\Windows\system32\wermgr.exe
  "C:\Windows\system32\wermgr.exe" "-outproc" "2364" "452"
  2⤵
  PID:2612

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
PID:2660

C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2464

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe
1⤵
- Executes dropped EXE
PID:2596

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:1188
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1d0 -InterruptEvent 1bc -NGENProcess 1c0 -Pipe 1cc -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:3148
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1c8 -InterruptEvent 234 -NGENProcess 23c -Pipe 240 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:3312

C:\Windows\ehome\ehsched.exe
C:\Windows\ehome\ehsched.exe
1⤵
- Executes dropped EXE
PID:2700

C:\Windows\ehome\ehRecvr.exe
C:\Windows\ehome\ehRecvr.exe
1⤵
- Executes dropped EXE
PID:1592

C:\Windows\eHome\EhTray.exe
"C:\Windows\eHome\EhTray.exe" /nav:-2
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1652

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:560

C:\Windows\ehome\ehRec.exe
C:\Windows\ehome\ehRec.exe -Embedding
1⤵
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1120

C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE" /auditservice
1⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2948

C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:1660

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:1564

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:1072

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1764

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2688

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:2224

C:\Program Files\Windows Media Player\wmpnetwk.exe
"C:\Program Files\Windows Media Player\wmpnetwk.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1584

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3036
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe_S-1-5-21-3627615824-4061627003-3019543961-10001_ Global\UsGthrCtrlFltPipeMssGthrPipe_S-1-5-21-3627615824-4061627003-3019543961-10001 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon" "1"
  2⤵
  - Suspicious use of SetWindowsHookEx
  PID:1812
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 584 588 596 65536 592
  2⤵
  - Modifies data under HKEY_USERS
  PID:320
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe2_ Global\UsGthrCtrlFltPipeMssGthrPipe2 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Drops file in System32 directory
  - Modifies data under HKEY_USERS
  - Suspicious use of SetWindowsHookEx
  PID:3732

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:1208

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:1616

C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE
"C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE"
1⤵
- Executes dropped EXE
PID:2176

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:2616

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2856

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1e4 -InterruptEvent 1d0 -NGENProcess 1d4 -Pipe 1e0 -Comment "NGen Worker Process"
1⤵
- Executes dropped EXE
PID:1984

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:2156

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1dc -InterruptEvent 240 -NGENProcess 248 -Pipe 24c -Comment "NGen Worker Process"
1⤵
- Executes dropped EXE
PID:2808

C:\Windows\system32\IEEtwCollector.exe
C:\Windows\system32\IEEtwCollector.exe /V
1⤵
- Executes dropped EXE
PID:2256

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 240 -InterruptEvent 23c -NGENProcess 1ec -Pipe 238 -Comment "NGen Worker Process"
1⤵
- Executes dropped EXE
PID:2104

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 23c -InterruptEvent 230 -NGENProcess 234 -Pipe 1e4 -Comment "NGen Worker Process"
1⤵
- Executes dropped EXE
PID:3264

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2448
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 230 -InterruptEvent 254 -NGENProcess 1d0 -Pipe 250 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:3376
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1d0 -InterruptEvent 248 -NGENProcess 230 -Pipe 254 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:3508
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 230 -InterruptEvent 1d4 -NGENProcess 240 -Pipe 1ec -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:3636
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 258 -InterruptEvent 230 -NGENProcess 268 -Pipe 240 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:3764
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 278 -InterruptEvent 230 -NGENProcess 258 -Pipe 234 -Comment "NGen Worker Process"
  2⤵
  PID:3872
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 230 -InterruptEvent 274 -NGENProcess 268 -Pipe 264 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:4008
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 274 -InterruptEvent 284 -NGENProcess 1d4 -Pipe 280 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2664
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 288 -InterruptEvent 284 -NGENProcess 274 -Pipe 244 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:3160
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 270 -InterruptEvent 284 -NGENProcess 288 -Pipe 1d4 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:3240
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 258 -InterruptEvent 284 -NGENProcess 270 -Pipe 274 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:3168
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 27c -InterruptEvent 284 -NGENProcess 258 -Pipe 288 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:3464
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 268 -InterruptEvent 284 -NGENProcess 27c -Pipe 270 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:3592
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 278 -InterruptEvent 298 -NGENProcess 230 -Pipe 268 -Comment "NGen Worker Process"
  2⤵
  PID:3676
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 28c -InterruptEvent 298 -NGENProcess 278 -Pipe 27c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:3712
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 290 -InterruptEvent 298 -NGENProcess 28c -Pipe 230 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1636
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 294 -InterruptEvent 298 -NGENProcess 290 -Pipe 278 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2064
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1dc -InterruptEvent 298 -NGENProcess 294 -Pipe 28c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:4056
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 284 -InterruptEvent 298 -NGENProcess 1dc -Pipe 290 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2676
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 258 -InterruptEvent 298 -NGENProcess 284 -Pipe 294 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2912
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 290 -InterruptEvent 1e8 -NGENProcess 28c -Pipe 220 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:3132
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1e8 -InterruptEvent 240 -NGENProcess 230 -Pipe 234 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:4032
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1ec -InterruptEvent 290 -NGENProcess 254 -Pipe 1e8 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:3528
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 264 -InterruptEvent 290 -NGENProcess 1ec -Pipe 230 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:3568
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 290 -InterruptEvent 1d4 -NGENProcess 254 -Pipe 280 -Comment "NGen Worker Process"
  2⤵
  PID:3848
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1e4 -InterruptEvent 254 -NGENProcess 264 -Pipe 240 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1804
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 24c -InterruptEvent 254 -NGENProcess 1e4 -Pipe 1d4 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:4036
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 28c -InterruptEvent 1f4 -NGENProcess 1c0 -Pipe 24c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1276
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1f4 -InterruptEvent 238 -NGENProcess 1e4 -Pipe 250 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:1380
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1cc -InterruptEvent 28c -NGENProcess 298 -Pipe 1f4 -Comment "NGen Worker Process"
  2⤵
  PID:2124
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 244 -InterruptEvent 254 -NGENProcess 258 -Pipe 1cc -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:1168
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 210 -InterruptEvent 1e4 -NGENProcess 2b4 -Pipe 244 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1664
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1ec -InterruptEvent 1e4 -NGENProcess 210 -Pipe 258 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:3316
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1c0 -InterruptEvent 264 -NGENProcess 29c -Pipe 1ec -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:3872
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 238 -InterruptEvent 2b4 -NGENProcess 2b0 -Pipe 1c0 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:3692
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2b4 -InterruptEvent 2b0 -NGENProcess 210 -Pipe 29c -Comment "NGen Worker Process"
  2⤵
  PID:584
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 284 -InterruptEvent 2b0 -NGENProcess 2b4 -Pipe 264 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:3936
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2b0 -InterruptEvent 2b4 -NGENProcess 238 -Pipe 210 -Comment "NGen Worker Process"
  2⤵
  PID:2216
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2ac -InterruptEvent 2b4 -NGENProcess 2b0 -Pipe 254 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:4000
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1e4 -InterruptEvent 284 -NGENProcess 2a0 -Pipe 2ac -Comment "NGen Worker Process"
  2⤵
  PID:3200
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2a8 -InterruptEvent 238 -NGENProcess 2bc -Pipe 1e4 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:4064
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 28c -InterruptEvent 2b0 -NGENProcess 2c0 -Pipe 2a8 -Comment "NGen Worker Process"
  2⤵
  PID:1424
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2b0 -InterruptEvent 298 -NGENProcess 2bc -Pipe 1dc -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:3256
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2c4 -InterruptEvent 28c -NGENProcess 2c8 -Pipe 2b0 -Comment "NGen Worker Process"
  2⤵
  PID:488
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2b4 -InterruptEvent 238 -NGENProcess 2cc -Pipe 2c4 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:3292
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2a4 -InterruptEvent 2bc -NGENProcess 2d0 -Pipe 2b4 -Comment "NGen Worker Process"
  2⤵
  PID:3932
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 284 -InterruptEvent 2bc -NGENProcess 2a4 -Pipe 2cc -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:3068
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2bc -InterruptEvent 2a4 -NGENProcess 2a0 -Pipe 2d0 -Comment "NGen Worker Process"
  2⤵
  PID:3860
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 298 -InterruptEvent 2a4 -NGENProcess 2bc -Pipe 2c0 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:3472
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 28c -InterruptEvent 284 -NGENProcess 2e0 -Pipe 298 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:3848
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 238 -InterruptEvent 284 -NGENProcess 28c -Pipe 2bc -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:3964
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 284 -InterruptEvent 28c -NGENProcess 2dc -Pipe 2e0 -Comment "NGen Worker Process"
  2⤵
  PID:3096
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2e8 -InterruptEvent 2d4 -NGENProcess 2ec -Pipe 284 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:700
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2d8 -InterruptEvent 2a0 -NGENProcess 2f0 -Pipe 2e8 -Comment "NGen Worker Process"
  2⤵
  PID:1772
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2e4 -InterruptEvent 2dc -NGENProcess 2f4 -Pipe 2d8 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:1900
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2a4 -InterruptEvent 2ec -NGENProcess 2f8 -Pipe 2e4 -Comment "NGen Worker Process"
  2⤵
  PID:1532
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2c8 -InterruptEvent 2ec -NGENProcess 2a4 -Pipe 2f4 -Comment "NGen Worker Process"
  2⤵
  PID:3704
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 28c -InterruptEvent 2ec -NGENProcess 2f8 -Pipe 2c8 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:3676
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2d4 -InterruptEvent 2ec -NGENProcess 28c -Pipe 2a4 -Comment "NGen Worker Process"
  2⤵
  PID:3912
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2ec -InterruptEvent 2a0 -NGENProcess 2f8 -Pipe 2dc -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:3020
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 308 -InterruptEvent 2d4 -NGENProcess 30c -Pipe 300 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:1160
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2d4 -InterruptEvent 30c -NGENProcess 2fc -Pipe 2f8 -Comment "NGen Worker Process"
  2⤵
  PID:2536
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 310 -InterruptEvent 30c -NGENProcess 2d4 -Pipe 2a0 -Comment "NGen Worker Process"
  2⤵
  PID:3116
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 238 -InterruptEvent 30c -NGENProcess 310 -Pipe 2fc -Comment "NGen Worker Process"
  2⤵
  - Modifies data under HKEY_USERS
  PID:1116
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2ec -InterruptEvent 314 -NGENProcess 31c -Pipe 238 -Comment "NGen Worker Process"
  2⤵
  PID:1452
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 28c -InterruptEvent 2d4 -NGENProcess 320 -Pipe 2ec -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2124
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2d4 -InterruptEvent 2f0 -NGENProcess 31c -Pipe 304 -Comment "NGen Worker Process"
  2⤵
  PID:1040
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 324 -InterruptEvent 2f0 -NGENProcess 2d4 -Pipe 314 -Comment "NGen Worker Process"
  2⤵
  PID:2268
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 308 -InterruptEvent 310 -NGENProcess 32c -Pipe 324 -Comment "NGen Worker Process"
  2⤵
  PID:2140
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 318 -InterruptEvent 31c -NGENProcess 330 -Pipe 308 -Comment "NGen Worker Process"
  2⤵
  PID:3540
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 30c -InterruptEvent 2d4 -NGENProcess 334 -Pipe 318 -Comment "NGen Worker Process"
  2⤵
  - Drops file in System32 directory
  - Modifies data under HKEY_USERS
  PID:1532
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 320 -InterruptEvent 328 -NGENProcess 338 -Pipe 30c -Comment "NGen Worker Process"
  2⤵
  PID:3376
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 328 -InterruptEvent 28c -NGENProcess 334 -Pipe 2f0 -Comment "NGen Worker Process"
  2⤵
  PID:3924
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 33c -InterruptEvent 320 -NGENProcess 340 -Pipe 328 -Comment "NGen Worker Process"
  2⤵
  PID:1120
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 310 -InterruptEvent 2d4 -NGENProcess 344 -Pipe 33c -Comment "NGen Worker Process"
  2⤵
  PID:3908
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 32c -InterruptEvent 2d4 -NGENProcess 310 -Pipe 340 -Comment "NGen Worker Process"
  2⤵
  PID:3208
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 31c -InterruptEvent 2d4 -NGENProcess 32c -Pipe 344 -Comment "NGen Worker Process"
  2⤵
  - Modifies data under HKEY_USERS
  PID:2228
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 338 -InterruptEvent 348 -NGENProcess 350 -Pipe 31c -Comment "NGen Worker Process"
  2⤵
  PID:4004
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 28c -InterruptEvent 310 -NGENProcess 354 -Pipe 338 -Comment "NGen Worker Process"
  2⤵
  PID:4044
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 320 -InterruptEvent 32c -NGENProcess 358 -Pipe 28c -Comment "NGen Worker Process"
  2⤵
  PID:3088
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 334 -InterruptEvent 32c -NGENProcess 320 -Pipe 354 -Comment "NGen Worker Process"
  2⤵
  PID:2904
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 330 -InterruptEvent 32c -NGENProcess 334 -Pipe 358 -Comment "NGen Worker Process"
  2⤵
  PID:3992
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 32c -InterruptEvent 334 -NGENProcess 360 -Pipe 364 -Comment "NGen Worker Process"
  2⤵
  PID:3496
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 348 -InterruptEvent 334 -NGENProcess 32c -Pipe 2d4 -Comment "NGen Worker Process"
  2⤵
  PID:1976
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 310 -InterruptEvent 334 -NGENProcess 348 -Pipe 360 -Comment "NGen Worker Process"
  2⤵
  PID:3680
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 350 -InterruptEvent 334 -NGENProcess 310 -Pipe 32c -Comment "NGen Worker Process"
  2⤵
  - Modifies data under HKEY_USERS
  PID:3660
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 334 -InterruptEvent 34c -NGENProcess 348 -Pipe 330 -Comment "NGen Worker Process"
  2⤵
  - Modifies data under HKEY_USERS
  PID:984
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 374 -InterruptEvent 34c -NGENProcess 334 -Pipe 368 -Comment "NGen Worker Process"
  2⤵
  - Modifies data under HKEY_USERS
  PID:3900
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 374 -InterruptEvent 334 -NGENProcess 34c -Pipe 370 -Comment "NGen Worker Process"
  2⤵
  - Modifies data under HKEY_USERS
  PID:1304
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3c0 -InterruptEvent 3b0 -NGENProcess 3b4 -Pipe 3bc -Comment "NGen Worker Process"
  2⤵
  PID:3652
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3d8 -InterruptEvent 3b0 -NGENProcess 3c0 -Pipe 3c8 -Comment "NGen Worker Process"
  2⤵
  - Modifies data under HKEY_USERS
  PID:1268
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3d4 -InterruptEvent 3b0 -NGENProcess 3d8 -Pipe 3b4 -Comment "NGen Worker Process"
  2⤵
  - Modifies data under HKEY_USERS
  PID:2472
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3b0 -InterruptEvent 3cc -NGENProcess 3c0 -Pipe 3d0 -Comment "NGen Worker Process"
  2⤵
  PID:2840
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3e4 -InterruptEvent 3cc -NGENProcess 3b0 -Pipe 3ac -Comment "NGen Worker Process"
  2⤵
  - Modifies data under HKEY_USERS
  PID:3368
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3c4 -InterruptEvent 3cc -NGENProcess 3e4 -Pipe 3c0 -Comment "NGen Worker Process"
  2⤵
  - Modifies data under HKEY_USERS
  PID:604
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3e0 -InterruptEvent 3cc -NGENProcess 3c4 -Pipe 3b0 -Comment "NGen Worker Process"
  2⤵
  PID:3212
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3cc -InterruptEvent 3b8 -NGENProcess 3e4 -Pipe 3d8 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  - Modifies data under HKEY_USERS
  PID:2888
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3f4 -InterruptEvent 3e0 -NGENProcess 3f8 -Pipe 3cc -Comment "NGen Worker Process"
  2⤵
  - Modifies data under HKEY_USERS
  PID:3328
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3d4 -InterruptEvent 3e0 -NGENProcess 3f4 -Pipe 3e4 -Comment "NGen Worker Process"
  2⤵
  - Modifies data under HKEY_USERS
  PID:1532

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe
1⤵
- Executes dropped EXE
PID:3044

C:\Windows\system32\dllhost.exe
C:\Windows\system32\dllhost.exe /Processid:{02D4B3F1-FD88-11D1-960D-00805FC79235}
1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:3308

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
118KB

MD5
b93bfee058ffa0119e62402ccf329aeb

SHA1
3688975e899566f238289678f3d42d911c5368fa

SHA256
7bb1b379fb26b6e2624cb163c2fa13492e956209b89fb455aa723d8195f850df

SHA512
e2af8b489cb3dc0c3511599099ee3d8a3c947c7ef45f5fe114f789f77d9ed772190edc38e26644e1014e7a57cb58f3c363b13f08f771f2b61b1e99dba918f2b6

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE

Filesize
23KB

MD5
cf961ccffc811024d53d12f0523627ac

SHA1
edbb6ae0e30d815a1eaf9200d31a2dc8b6e79a1d

SHA256
fb4360bdeb84e190c19333ac63dbd210b6c719631a1c5d213cd34ec7734cd528

SHA512
cdd513207ed1c5abeb40a74089d04cd0d5e6b39cae8144fbc0d1654617393e363d8faa5fe8865200402b3f7681b5c70e164d42b2be0a6870e73e27b2e94ece1e

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
77KB

MD5
d09fa10ebd7f5439aab1397041211b62

SHA1
2429fd80be1f85baaf33b79b9cd864791db7e889

SHA256
1fb6d8cb42baad3090b0a0bba6a7d8526371faf538bb7c1c86cb038130c6f63d

SHA512
e38358f1403556fc4b41ca11231e306d421d07bfbc1884746e8305c0cfe4340e2993c09202be3e1305646c9b7303f2ac700d4353c849c6371e219c6ff711c83e

Download Submit
C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE

Filesize
72KB

MD5
fe3563869946ad09c78026633ebb157b

SHA1
162b00f2c1d41593c4150640577739da6f387807

SHA256
08fbab312b0334fc891b4079a4890602299600da0176b1b25d212bbf79b8ae29

SHA512
b9281c15c7c70c3c966022d4744153b0bc80d943b958ec5d8d15b0c1cff3877b3150d45ddac72e6be673fb3937b2419b874267c103c57b563851340788aff600

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe

Filesize
28KB

MD5
1c50864261a979dc1f56bab26cbb6806

SHA1
e0d41f01a708e3e79160e4c6c9ba02e71f830519

SHA256
3186e335c0ce8748c65378ad00e33dc7aa6f9a7c62fbdff5e1863c6ac01ac618

SHA512
22f25a2bb7bf9476ae77c599277a195d634bb6572ed7ddf60e7adef8fd1a0f505e065af3e059453db1d2f59aabd75095f2469d6311816434c46a827868af3d6e

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
69KB

MD5
c1ac6cecc76a6c24f80cd876049c6762

SHA1
93ada9cfc27cccdf6330aea8c6ece841fdc2425e

SHA256
284e3462d701dcaa6e79364d52b145ef13160e9ef65a1fc24db644e3763acdd2

SHA512
b89dbfd69e4d84e7e2d368d60af3369b707223606c7a21478fc50474542c09a04286ffc8276b4befa2a7b9d09351cddc889943e914eda31bccef08ecbb84da5f

Download Submit
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\MSS.log

Filesize
4KB

MD5
67482dad35743cc8dfaf05de6a470de3

SHA1
3b3b7c7186ed842fcde8cf30d79f5ba744d69991

SHA256
a057b4fa3fe727cc84a5ea8618cf4965b0d045b8725b8e53969fd47b445a9dc4

SHA512
2a3c52918944bcc9103105fbfefe7a774cbbc460cb95d2dc5326884728e066381d91142b4fc3ff6979680656faff75bf4f7bf75ec9fa1eb4113120b66ad35038

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
1dd9abfa3d8f5e89a29c22c8114ecec9

SHA1
42193ff672cfc3f58b1a7b890a680e6421527e61

SHA256
8e52b5476ddd39b83f985992831d457f16605e5ad2d890be2b3256d082e11a07

SHA512
724452c5407e5ec30aae68cf5ffc20831c0c0d2eab875486dec27d0453112face217ca717154f80510594e4e11596482fa0b100c2548b9e1e626f6f3e965d1a1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\throttle_store.dat

Filesize
20B

MD5
9e4e94633b73f4a7680240a0ffd6cd2c

SHA1
e68e02453ce22736169a56fdb59043d33668368f

SHA256
41c91a9c93d76295746a149dce7ebb3b9ee2cb551d84365fff108e59a61cc304

SHA512
193011a756b2368956c71a9a3ae8bc9537d99f52218f124b2e64545eeb5227861d372639052b74d0dd956cb33ca72a9107e069f1ef332b9645044849d14af337

Download Submit
C:\Users\Admin\AppData\Local\Temp\OutofProcReport259391608.txt

Filesize
1KB

MD5
15106cb3d7d1fd7698f5b3746d1a97be

SHA1
6d334c0be96ad0fffb4fd3699e330a0e768076e7

SHA256
1a08491fcdb5f9fc80feeee698335152dc98b9f1486edcbadd0ed1b4fa398ae6

SHA512
84e841a4d0eff6b4dccae8aa2dda911667ca581f3c7235e2e2cc89b5060fcebe04c0cd3ad6d5cd92827318d842a8e25a1a07672ffe31bad079f751c25ae8bf41

Download Submit
C:\Users\Admin\AppData\Roaming\52a5be56fe8faa.bin

Filesize
12KB

MD5
4273007218d9a46a5b95f018995b5aba

SHA1
0fb114d5c8e93de75c0597ca31ef5310ae00e631

SHA256
7a09a72313e714c33e36386e961b327640d87e06428736c8a5415a8955aaeaf7

SHA512
3a1aa800b162c34188c4a605ae19c56a2f1184fcd87739cc72f1fa7613082fed7ecba8a2129b0f3a30c3011cf2ec7f9f5b7ad04ae86ba42fbc8b1847a793358b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\b91050d8b077a4e8.customDestinations-ms

Filesize
24B

MD5
b9bd716de6739e51c620f2086f9c31e4

SHA1
9733d94607a3cba277e567af584510edd9febf62

SHA256
7116ff028244a01f3d17f1d3bc2e1506bc9999c2e40e388458f0cccc4e117312

SHA512
cef609e54c7a81a646ad38dba7ac0b82401b220773b9c792cefac80c6564753229f0c011b34ffb56381dd3154a19aee2bf5f602c4d1af01f2cf0fbc1574e4478

Download Submit
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe

Filesize
821KB

MD5
c82af547cd3e53970fb485e6758fafe1

SHA1
1429b5b52343c8c228a37a9f3c733d4f4052a102

SHA256
c825d7a0b41c0bf5f92ea97d5ca7ba0586330d45ac32d83860363bbb523f0c73

SHA512
94a8685c13cffa9c2f3de0c2c58821472cdb3a0a4706dd6d6d49dcb6687545cc2609a5b9a9313cf5922bcceeb1cf878b4bd6db6babb04491b77379bcd7ac3af2

Download Submit
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe

Filesize
150KB

MD5
eb55a55315bbbe948a22101dba04c58d

SHA1
8d362bb840498ddb25b4b31024556715f81d8a11

SHA256
efa6579c27daf675dc00e2fe40354187beaac241f6894bf4acd44f09bbc2e013

SHA512
3f300d698cd4819aba41a29dd61fed541499ba9eb739a1f76fd2fb7ad852a2c2b2a5cbe9b4f2f84a3d328e4bdbdc030ab326387fca8d65434299932267512e61

Download Submit
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.log

Filesize
448KB

MD5
aeb82de07dcd10948260a655cad0f8b5

SHA1
a0c31dd7dcca5d6699044b84251451adff2f8159

SHA256
524fae230995bc3812b018ad9473a5e7193aa20ecbf0d8b6239582413de876af

SHA512
28acf630f9d21a15de02692f70e08c8297ec8ebcda7e326bc989630947de3de00235bd826e18c9e6b3fa1fbf059deea2fa2fa0f8a1ad3e86e58cadf0e13103c2

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe

Filesize
204KB

MD5
4d5e8596cfbd5ff333bccd329836e7dd

SHA1
0c8351f20ca1f445f8e42170cd2145cce349d48a

SHA256
276c0c61044e50b193bd66c401f328f5d95c8e819812142dec7b9276b67367c4

SHA512
01a1f632d0cd1fa02904847b722331475ba4873ba7285eb7eadf713a6c7a8368a245f01f259f0630da5bf8d1730438faab73a7994fb39036417f764a3e3b2dab

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

Filesize
182KB

MD5
26e4c550f96690a01bb6b83fa2c29fda

SHA1
aa9fb09fef62daa19320267d299242b981e385ae

SHA256
b18fb089e02b32eb373ae9a409c0c66820762dcab8fc241c2c85ecba15ddaac7

SHA512
d1513132bd01b5d897654619eec52f715c9a56d904a48ea625fdda5b17ed29972f7e7cc15355a3ee0db862c03099ab874408fd373844c1a523c99c2cef8d5232

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

Filesize
302KB

MD5
f1bab83066b3efcf90a97e66244c53df

SHA1
358be5a7d45b1b225e377fc1bcc639142b10bde5

SHA256
2b5534f13354d8e69d1f708cbd77e865fa4eaede3dc5e84287727fbe3be13b46

SHA512
9147f279b585fcbf67ff83a75816a2327aff5ed7a14bc7075ef94ac681c82b18d773caac4184f997683a0524add2e44c788b5287f70147fdbb56301577739b92

Download Submit
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe

Filesize
163KB

MD5
7cb0d34f1db011dd56ec96e41d235975

SHA1
38018dca215800f2df55571595703a166a11d916

SHA256
5d48dd3a47c7c60f7b84bf494ee9903b59cae58f0e4a0accdcc499d471435898

SHA512
b2c52475571d960bf34548005af9cbfbc41047d1d011639a74294e641945137fcb32f65d2540a064d82ac064d19e7ee556bb7bd6baebe55007e85ddcc720e3c5

Download Submit
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe

Filesize
503KB

MD5
024f195a74cb73371730c8e88ff52c96

SHA1
5b9e7d81c5358ee031663ccbb287e0df13460915

SHA256
09dd7e5924d162b6499b3958fb1f495e1f9e157e32136e95adc8d0433288ec2b

SHA512
9217b47b9f4eacf7f3af7bbffd400d90e79ab4c12d3cda60b8e10d6038e461f6e1219c0ad9630470ba7a2fccaa09e6889b1025d5a6372d28d3c1618679c5cea9

Download Submit
C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.log

Filesize
614KB

MD5
99ce8d4b28577ff4e9b6db9dbd4b521b

SHA1
758221d345046f3330c822bc72c158776f9f1185

SHA256
6735f39a8c5941b943dc3aa9279a1ad2834e6e0de778b4eef39474926e4929d7

SHA512
e847861e41f647eee26e8bce1d76566d197711e8d067fee3c825ffd64ca0be07540bf5fb69774361163271e4b7620e1a9d58bc5a4730f6cab8fb6e143872d0d6

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
56KB

MD5
b291b0f55034887f881cd112f7551832

SHA1
013b3c0757d0873dc221dd243cba533f18f1144c

SHA256
0a3f023c5da73df3891a0a6d894214fc99fd15fd61448078ba636e32d8008e62

SHA512
3199df777c84e94df88eaf747b4f93b2e2069cf5dbb17fc1a5d69712794c20f0d1d3acebfb9829ae6ab4bf5616036b42e99a5cc8ca11ef4ecc73f74e268e3f4e

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
52KB

MD5
e5f6f3c14b64109a9ba74323e9ed24bc

SHA1
a2204c96c01b035ba30de7b9b35741f61314eed7

SHA256
20f00ed94cb4ac74f0b0bed48b4fdc028a1b9d8d4785cbf99d69afb97d32a27c

SHA512
8ceb48eeb9160500d13a3f05c6481662e68888ddc891830e9a8863bbfc93079dfcba002edbc31460220646987e01a05acdc1751c1cdbca484ac579fc89153b37

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
55KB

MD5
b7d37e386d2d9ce30ef4c2a7c91288a0

SHA1
d43a76c4fdc41109643096df419d74febfacd955

SHA256
a697096ba43cdfb8d1ef04eac0312159e8630cd619612b535e001063b07d1cc1

SHA512
48bac6ac56579e0856fe44a1d5b751f79635d402a0ddb1e3985bec8843aba6eda4b2b82edfe8330df14e61b41912ecfed908cad16dfb6f24037ca726f9181f40

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
57KB

MD5
641c0b4bf61315c8bc57dc404316159d

SHA1
d095696201f61015491e4d72789c4cd0dcd56d46

SHA256
05c22652778a4cc3f2b24f59c35ce56dcd5634a1e5a39e4764cf665e4dec5c9b

SHA512
78373b26a23d2abdf0e012ae4b9ec49e18064bc689025d6ee90ab14a32d2658d7aed60e54fbf9674ed3f257e2082e90fb990728db7e6971ffec97f36b81a14ec

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
76KB

MD5
0bea20e70ac5bc8a1af08541f0c91ab3

SHA1
2876419c6582ca9dee668c6496e659cc7206aa3e

SHA256
e9f9b57d7309ff031997f1e4ff793135083b439544ac21b1297a3aea834e5e05

SHA512
2f1d5b74e1a900d59c476f80f4e0e354808cf8e46dbfb3d0cb13d0c6c8165e38f035053904b8261a30e0488d8a3bfd7e3eea24669756bf7ecdf615a3dd53e5fc

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
49KB

MD5
934d0c81ee6baffc4238c0da5e42fe5a

SHA1
6efd830f5cb91f69d3f8c0fd017853ba9c5ad8d0

SHA256
c1b779b6b6cbfea404fe9c824955196a9be3abd7e9bd07a9d4f664c3d260b31d

SHA512
faa1e2f3b58b39170cb4cc5fcb493b27923fe45508e1849db25578fb86fb9bddf8cc612c4fb8fd3971a0167a7ff2df45a8af1a556013f238ff1675ae24d14c4d

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1KB

MD5
e471c52fe8534bc15a9e10c4780224fb

SHA1
9693a6977a547bbb4b161abe0ed195d3a927607d

SHA256
da918916d74cfba16439a46fd45a29b0a3acf60238cc1da4fb093df78f822011

SHA512
bb16b2ee715feba08a3f49860fc5a20cd06853fe3b4906339b70c3dbf284f2f26bd87e1d837fb0ec9bcde3726b863de78c9061ee774471bfad4fd670cab63980

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
18KB

MD5
1f71fdb63c9bc9fc9105aa6399178d3c

SHA1
7dfaf9df05cbf9c220f41884e450c7bc7c7bc03d

SHA256
cbc7fad233c7b529f40bfd505f7d60fecc83e44a4a5ab08c0e6cfb688e1e1760

SHA512
05f0d6882c721d6646f2b21e26806a570d9e37f0fe3ec852733db16927a0d3084293cbf49675a9f4f804586ffb71cf9c8e52cf4646a47728afcf9ca6b8aac5b1

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
5KB

MD5
eab8d0cd9063c3a0cf4130290e8dea7d

SHA1
ae3c2ec4c2625073c44465af707b812080fb52b5

SHA256
ebe1fb19338af1cc74e3642823373ade377e8057c11e0f4e58914b540cda0cfd

SHA512
cf32e11e009b7b2fd955a708f4e028eb1c206efaab1816132b548bc1e76c79ecc122f6a922dd1d8bfe8c931c143a8d345deb23d63c350cde77ca7cd5f3efee15

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
11KB

MD5
cdd9045a195885a3f7be9201be45e74d

SHA1
4baee9f3603276a14b2a4f927c717c6fbf4ce7e9

SHA256
26e020b9dce6d7f0e5fe3b661cdde99cf0a4550f375e5b58f0bb0922e5759fbe

SHA512
c3a377a58004ae10b3fcc2a59c41db24870ca4bc280da6fd3ec9d0d8af63c64454dbd14bad87dd1f5bf48e1e6d2045832234105702c294d61176e091299b5a53

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
49KB

MD5
8638004d50c27f07e9542bf661d35c50

SHA1
a6b88abc7df4a16386589820b130e2fb1230e6b9

SHA256
8dc42dc0dd713a2cb0d1fa2ecc842fbe6113d3d5295be992356b2a266052ea26

SHA512
c6fa3ab93e107075adedb4d0317e22e6e5ecc79dfaf304e55dc7812255a131c510782db7c2498cb455b5c426f3ae23dd7075dd53f65044043e3775a3acf3c1ff

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
43KB

MD5
bfdc422ac3ff0974183054de9ec985f7

SHA1
5ac99e6e6362454cb70848ecff5acdf9d8340125

SHA256
999862487a0b1fa8b55b2f7e196054900fa3e1a36322bac926497864d66263ba

SHA512
51a3b31f611446259eb15b7670eb3808ce04e59acd5b5e875d32f01f37ba7d6d221abcab7a3ca6c9593ce6bf7703de3907a6c3a3dc742671fea220b1b7609a1b

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
41KB

MD5
1cab062d3529992bcc28febff99dee77

SHA1
369c4a61b52d2c1a2cfed28ad92e47463d8a81f7

SHA256
479ff14a24c48ce1a7e0f7fc669289eddd79e5281044f992856088a3028ef1c2

SHA512
4d4099d1327210ac9ef44106ec0efd5345b1c72878bb46a1d48f6278b67cc198d41f45b5a932a928ba7261fac0cbd87eb22a307e8ba356eeb8fdb7838c0885fc

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
63KB

MD5
5ae7dee79ea9b93e90e8fa3d4bd14532

SHA1
2a93500bacf341eeb750c4ac036b2c78543b8373

SHA256
8917b51b1107963b5aaa6a7f29b907ff6de310f6f98defd66b5e8377946a1c1b

SHA512
602acd8640bbb08beca2cccb998829c29dd6439cb54cd6417a6f5af37f30c86c828f711b8c94bf6673bc2347afa8ca99dab8726f69ea22383cca8e2c1dcb83be

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
12KB

MD5
838ae6808504166da75c87ac4aada7c7

SHA1
0c17453ca2f01f48bc01551e9215be8a5c024ca2

SHA256
dd5035f1753d11b633580018560342f930238824c20cfb59a8b5272600627ecf

SHA512
771ce607924435e62a3424788f950e6eb8475969a1697dbbe982a601ea44f1581a088fedb3a1c3b7299a838ab2c2d9dc8bef4f657b46cbbfd8146727f8bfbc16

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
39KB

MD5
0036cabb6af72fcc9353728030be2736

SHA1
25578792c1a57fd9730bf42ccf2f7187fd832130

SHA256
5177f9d1ec98e1bf2dd3ebc138177ac3ddd1cdfebba3d12bb7c24870522649bb

SHA512
86f433003e9024e58914dcbedab645c0dac1af6d0e43f694c7148d519c507f6aa2f2636632fbf7c51016f680808d8de2b914ac17732d47b57499486017ef13f0

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
482KB

MD5
8cf6f4d0b11354051f683442aa5f2077

SHA1
2643d827f777d162963673afb33786a1a1253327

SHA256
1ac5aeb0da5ccdaa41ab384d4e9a176582552cd25dc5979b86155905a3c6265a

SHA512
469395188908c39eeb38ae231b6cb1b1025bd1e7b77207e69a5fc4190c7807e1181ab171319727958c40fc5ec6976e53141d6c290c39b5ee9df9a1277e714197

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen_service.log

Filesize
8KB

MD5
0ce9d6aa50018eb4902bcc8a7ee32a9b

SHA1
81da482f285bd0ea6073d9dbfbd92d9a2dc3034d

SHA256
ce750148ba7034ba78f1ab99da34ca6ded7c911090b2992b1bfb0f503cc1daf9

SHA512
46775832d39847157d88a5023ed3b4d2d1d8e5a5feafff1a57f546e028ea9dcd8814053b4aa723cd93d323d865d75a77d4aa7d6b6d16b2ee56e5611d243f917c

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
26KB

MD5
40e2e7d243d4ff4cd0791e569f72647b

SHA1
130b214015f9fbe464b92c46e5656e85d8dcfc7b

SHA256
3fe2e53775323c4a9b57bddffe8f581f78fd8882fb466d5bba76f21020b9f368

SHA512
9c2434c1e7f1f601160487a84a60b138b731b0197efdde3bf94f625e240d3f44a6dafd78b3f97f5d488d121b0b16c6494d55597eff3e4adbcfb6abf3c108b87c

Download Submit
C:\Windows\System32\Locator.exe

Filesize
54KB

MD5
836cc4eaa6cb78df5c39ccd88688fc1b

SHA1
b7773cb454fa70d2f783ebbaf6d1f33860ccc38e

SHA256
640343d9f4a235037f957dff38a8d7e4fb1dd5a9567d542832553f2499874e5f

SHA512
932db246ee9637cfdac129f850c5dd7af06be3660cdba5463130753de22425db3891c8da34e4fd6eec50c50a57611cdc89667a75d52e5b5b622e5c677613c47e

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
29KB

MD5
a6eb6c47d27332f52aa3b0e6690a7144

SHA1
1965e7cddae114a3e093a355e73076a2942a6291

SHA256
abb50319ffa0567713756e80220d55c46aefc4b4694742edaf1ff28077699b99

SHA512
8bb653da59052e92d72ffdd56a45fb3b5c477669f19b42ce951e67118a0e16a9442645586d2510fb93f7273f81a3fdb44692e5572fef8ed42b3f17f6040240a0

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
50KB

MD5
493d12621cd22955e2bb96a03577aea8

SHA1
4182203b6705f99995654fb6833e3bd055a10939

SHA256
f268583912199279860496c8a331d67c7895d018cb0ffc6ee8597abb1837e611

SHA512
11ab42586c577e5b1d4476855325e4b6c554b1ec3559de5e3b6161a94fa9380a2fa17d2a2aa138b46e473a1c282fcbacb973da06b577aaf022b0d5f0fe881ba6

Download Submit
C:\Windows\System32\alg.exe

Filesize
973KB

MD5
5c30b6437036bde19068e1e3b253f6cc

SHA1
6d37901c9a72d0ac4f954ba0e9119f7a404163d7

SHA256
f538c5271c6d734044b7b192997d4936d736688e8cb8aaddaf253ee6c0391b9e

SHA512
b7fba1c2a081bbd84f183c69d12ecfa5020efa058d0f5aae1f205be2398d3b070eb5948ff4a1f423b0ffd57fb6d9cc636bdcfde7529204796c27d362295521aa

Download Submit
C:\Windows\System32\ieetwcollector.exe

Filesize
45KB

MD5
4e8d8912515418e07261d88c8ba1f1b9

SHA1
650a170ca6a257e07a146905f59a7fefd3f9e4dc

SHA256
4509b4f4b59edaefc2f696e04959de2d00d951013dde69f8475f76099053a3dc

SHA512
bf1e133e22ab799924bb678577f1b1497d5daa0c37f3781b93e9540da673e6645ff1e1c4ee81ce03d6af0163a36334f550841d9c0c5af73f7c166ad7780a5bfa

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
125KB

MD5
05f46002093a8b4defbd9f1ef16e3979

SHA1
654140d64bf965bd398805576ae6c43d99d0a194

SHA256
f4704aeef991a1be57915cfaf72d1f0a3da87fd204ffee2a68f5daed67f8d71f

SHA512
b9b6142b57b0ecaa7db02fdf665fe0c14204ccd643cd5a66184447f7ae8bb7c4b0c56123bbff9de8a48cf60ba36fe2adfa3bfd58dd5bdbc9a72f6362f9c90b30

Download Submit
C:\Windows\System32\msiexec.exe

Filesize
210KB

MD5
29e0ceaf3b3bdc5a070f4eb5e10293e2

SHA1
b16f49d17fd1b457c2328645daaba462b5fbdaae

SHA256
b0f97205592122ec117bdd2b1d3491bccec903d047a4644abac8316fab9b979c

SHA512
fc33f0e14a9b817cc5615ec5573aca70f24afd8a3c0189a5ddc0b1418d06bf5e8a07ef6e519a721bccc73e2df1b0c5a6c0c6cb25baef984c03e842af1cea600e

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
126KB

MD5
ca301a279290a80bbdbe046f29b3af8b

SHA1
37e0de5bcc06a6e62ce5a1f7379720849a1b9eeb

SHA256
0f611eed17568edd7a08bdd762080cf3f4c7a3cd8a261a1b0e630e2a4f104b79

SHA512
239851a802c4d170cc71220ee696a00954d1ef1a0cf0402480b94f402a3fc192ecc259226e5224ef472cfe96d43f68b04a29a1b14a627725227b19dcc9247f95

Download Submit
C:\Windows\System32\vds.exe

Filesize
22KB

MD5
456dc44539fa2a2f6739b2c73d305ba6

SHA1
3f206109e26e5925a84cde1d41ff37a2964194c6

SHA256
1ea3acc44e69b6204a8bfc094a3de2de610dbaa5f7d75091e28c6aa9ffb93e61

SHA512
0892cce54b7c896a775c932ef828f493791b772c3ba8e926c7be37aa2cacd1e7e5759cb51cfde6e20c71b905c6af85db201ade15d74f3ccc8eca3a9b53411326

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
57KB

MD5
d8676c539e5806fbc90c5f7c1f9ebbf4

SHA1
84b418ad50c00c72a0bd13cd76669c619506f2ee

SHA256
3f98808ac5ecee8cdddaaff72efde6cd81fcf0eaa49d29af478e402670ae46fe

SHA512
40ca043e538dc209475ee09f422e5c2c038791b43291cce79465a8a0f5c8115a8b8287a1ecf483739391caf1467fc85d3116fe9f934791bbed1547a8cb8f3835

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
13KB

MD5
7a3b90a131b7b409abbdda046a3641e3

SHA1
7718e86b7c7ba6348ee1ceab73fd16832d3265c6

SHA256
cc9dc90fc9bca8cdbddd6afdc28727573459fed62c62b296701e4165e8fdbb9d

SHA512
eee2686922a3b97aaecd247040a13d0dddbf65682d1b0433ba60368f035196c0073fd851f9c9c3da197a5d1588106f195595fcb4ce24a77dde960583ead4e208

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.Office.To#\5766ec3721d18a48bec1ca1f60331e2d\Microsoft.Office.Tools.Common.v9.0.ni.dll

Filesize
797KB

MD5
aeb0b6e6c5d32d1ada231285ff2ae881

SHA1
1f04a1c059503896336406aed1dc93340e90b742

SHA256
4c53ca542ac5ef9d822ef8cb3b0ecef3fb8b937d94c0a7b735bedb275c74a263

SHA512
e55fd4c4d2966b3f0b6e88292fbd6c20ffa34766e076e763442c15212d19b6dea5d9dc9e7c359d999674a5b2c8a3849c2bbaaf83e7aa8c12715028b06b5a48e1

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.Office.To#\e1f8e4d08d4b7f811b7dbbacd324027b\Microsoft.Office.Tools.v9.0.ni.dll

Filesize
148KB

MD5
ac901cf97363425059a50d1398e3454b

SHA1
2f8bd4ac2237a7b7606cb77a3d3c58051793c5c7

SHA256
f6c7aecb211d9aac911bf80c91e84a47a72ac52cbb523e34e9da6482c0b24c58

SHA512
6a340b6d5fa8e214f2a58d8b691c749336df087fa75bcc8d8c46f708e4b4ff3d68a61a17d13ee62322b75cbc61d39f5a572588772f3c5d6e5ff32036e5bc5a00

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\03cad6bd8b37d21b28dcb4f955be2158\Microsoft.VisualStudio.Tools.Applications.Contract.v9.0.ni.dll

Filesize
34KB

MD5
c26b034a8d6ab845b41ed6e8a8d6001d

SHA1
3a55774cf22d3244d30f9eb5e26c0a6792a3e493

SHA256
620b41f5e02df56c33919218bedc238ca7e76552c43da4f0f39a106835a4edc3

SHA512
483424665c3bc79aeb1de6dfdd633c8526331c7b271b1ea6fe93ab298089e2aceefe7f9c7d0c6e33e604ca7b2ed62e7bb586147fecdf9a0eea60e8c03816f537

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\0cb958acb9cd4cacb46ebc0396e30aa3\Microsoft.VisualStudio.Tools.Office.Contract.v9.0.ni.dll

Filesize
109KB

MD5
0fd0f978e977a4122b64ae8f8541de54

SHA1
153d3390416fdeba1b150816cbbf968e355dc64f

SHA256
211d2b83bb82042385757f811d90c5ae0a281f3abb3bf1c7901e8559db479e60

SHA512
ceddfc031bfe4fcf5093d0bbc5697b5fb0cd69b03bc32612325a82ea273dae5daff7e670b0d45816a33307b8b042d27669f5d5391cb2bdcf3e5a0c847c6dcaa8

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\168ef72f98b87110a9c87fd0ee2d2a72\Microsoft.VisualStudio.Tools.Office.Word.HostAdapter.v10.0.ni.dll

Filesize
187KB

MD5
cbc255db06b68e389bf4ee7a172e6d8d

SHA1
2a6f07b21e65cfc4e8aa4699ba7e6de107a227eb

SHA256
ca50af801b81666ff8ee0db22514cdd41ce17398ef0c991c18bcb38913e1370b

SHA512
5bb0f177eb0a2531c37b40412957f0b8d51ef2b77a6b31dbe74beb495f63de326db1ec265c3942b3e403b94a02084e78f69b8db073440233cf1760d743cbc952

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\367516b7878af19f5c84c67f2cd277ae\Microsoft.VisualStudio.Tools.Office.Word.AddInAdapter.v9.0.ni.dll

Filesize
41KB

MD5
3c269caf88ccaf71660d8dc6c56f4873

SHA1
f9481bf17e10fe1914644e1b590b82a0ecc2c5c4

SHA256
de21619e70f9ef8ccbb274bcd0d9d2ace1bae0442dfefab45976671587cf0a48

SHA512
bd5be3721bf5bd4001127e0381a0589033cb17aa35852f8f073ba9684af7d8c5a0f3ee29987b345fc15fdf28c5b56686087001ef41221a2cfb16498cf4c016c6

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\8c6bac317f75b51647ea3a8da141b143\Microsoft.VisualStudio.Tools.Office.AddInAdapter.v9.0.ni.dll

Filesize
210KB

MD5
4f40997b51420653706cb0958086cd2d

SHA1
0069b956d17ce7d782a0e054995317f2f621b502

SHA256
8cd6a0b061b43e0b660b81859c910290a3672b00d7647ba0e86eda6ddcc8c553

SHA512
e18953d7a348859855e5f6e279bc9924fc3707b57a733ce9b8f7d21bd631d419f1ebfb29202608192eb346569ca9a55264f5b4c2aedd474c22060734a68a4ee6

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\9306fc630870a75ddd23441ad77bdc57\Microsoft.VisualStudio.Tools.Applications.Runtime.v10.0.ni.dll

Filesize
53KB

MD5
e3a7a2b65afd8ab8b154fdc7897595c3

SHA1
b21eefd6e23231470b5cf0bd0d7363879a2ed228

SHA256
e5faf5e8adf46a8246e6b5038409dadca46985a9951343a1936237d2c8d7a845

SHA512
6537c7ed398deb23be1256445297cb7c8d7801bf6e163d918d8e258213708b28f7255ecff9fbd3431d8f5e5a746aa95a29d3a777b28fcd688777aed6d8205a33

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\afa5bb1a39443d7dc81dfff54073929b\Microsoft.VisualStudio.Tools.Office.Contract.v10.0.ni.dll

Filesize
28KB

MD5
aefc3f3c8e7499bad4d05284e8abd16c

SHA1
7ab718bde7fdb2d878d8725dc843cfeba44a71f7

SHA256
4436550409cfb3d06b15dd0c3131e87e7002b0749c7c6e9dc3378c99dbec815d

SHA512
1d7dbc9764855a9a1f945c1bc8e86406c0625f1381d71b3ea6924322fbe419d1c70c3f3efd57ee2cb2097bb9385e0bf54965ab789328a80eb4946849648fe20b

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\c7df132982d0e702a943772ad8a0e695\Microsoft.VisualStudio.Tools.Office.Outlook.HostAdapter.v10.0.ni.dll

Filesize
83KB

MD5
5d3c6a48c63d0f9ea81011d01efd3433

SHA1
94f93d7a6b944010154aa1354239e82fb23845db

SHA256
fbc410fde5cc8db98321f61b4b0ce705d573bf9cd590c94a8f3f428c7f844a97

SHA512
afce4b696d71e12f38d35d601312e377c30344a4343b1c4008bd151908e60674d94fad5afc524899e85718e84938d1b460c13479ee432a07ff966ecd09132fd7

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\d0299b76eb7a5acc361b58dd85f52eef\Microsoft.VisualStudio.Tools.Office.Excel.HostAdapter.v10.0.ni.dll

Filesize
180KB

MD5
9b3e44cdcc7088311c18465bbce05c3a

SHA1
03e67403745852102b3ddfd3d0885717a8b281f9

SHA256
189ae02b4a717d1405271c6e0435a609b9d0391b4cf7683db9c20b235c291b5f

SHA512
7a575d9d6b27c33f308548e3a4d138dcc461d14a95d3f4337585f151287331940fc3753ffe51ea144bb4466db5ed0a41f3c8425e63a948d8b8058ac37165b954

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\de06a98a598aa0ff716a25b24d56ad7f\Microsoft.VisualStudio.Tools.Applications.Contract.v10.0.ni.dll

Filesize
27KB

MD5
9c60454398ce4bce7a52cbda4a45d364

SHA1
da1e5de264a6f6051b332f8f32fa876d297bf620

SHA256
edc90887d38c87282f49adbb12a94040f9ac86058bfae15063aaaff2672b54e1

SHA512
533b7e9c55102b248f4a7560955734b4156eb4c02539c6f978aeacecff1ff182ba0f04a07d32ed90707a62d73191b0e2d2649f38ae1c3e7a5a4c0fbea9a94300

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\e0220058091b941725ef02be0b84abe7\Microsoft.VisualStudio.Tools.Applications.HostAdapter.v10.0.ni.dll

Filesize
57KB

MD5
6eaaa1f987d6e1d81badf8665c55a341

SHA1
e52db4ad92903ca03a5a54fdb66e2e6fad59efd5

SHA256
4b78ffa5f0b6751aea11917db5961d566e2f59beaa054b41473d331fd392329e

SHA512
dbedfa6c569670c22d34d923e22b7dae7332b932b809082dad87a1f0bb125c912db37964b5881667867ccf23dc5e5be596aad85485746f8151ce1c51ffd097b2

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\ee73646032cbb022d16771203727e3b2\Microsoft.VisualStudio.Tools.Applications.Runtime.v9.0.ni.dll

Filesize
130KB

MD5
2735d2ab103beb0f7c1fbd6971838274

SHA1
6063646bc072546798bf8bf347425834f2bfad71

SHA256
f00156860ec7e88f4ccb459ca29b7e0e5c169cdc8a081cb043603187d25d92b3

SHA512
fe2ce60c7f61760a29344e254771d48995e983e158da0725818f37441f9690bda46545bf10c84b163f6afb163ffb504913d6ffddf84f72b062c7f233aed896de

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\f030ae7a0ac8395493f8afcd319ee692\Microsoft.VisualStudio.Tools.Office.HostAdapter.v10.0.ni.dll

Filesize
143KB

MD5
f786ebe6116b55d4dc62a63dfede2ca6

SHA1
ab82f3b24229cf9ad31484b3811cdb84d5e916e9

SHA256
9805ae745d078fc9d64e256d4472c0edd369958a6872d71bd28d245a0239fe12

SHA512
80832872329611c5c68784196f890859f6f7c5795f6a62542ad20be813e587341b36ade410363646c43f9ced48d2cf89a4537fe60d90e868324270f7040c2738

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\f1a7ac664667f2d6bcd6c388b230c22b\Microsoft.VisualStudio.Tools.Applications.AddInAdapter.v9.0.ni.dll

Filesize
59KB

MD5
8c69bbdfbc8cc3fa3fa5edcd79901e94

SHA1
b8028f0f557692221d5c0160ec6ce414b2bdf19b

SHA256
a21471690e7c32c80049e17c13624820e77bca6c9c38b83d9ea8a7248086660d

SHA512
825f5b87b76303b62fc16a96b108fb1774c2aca52ac5e44cd0ac2fe2ee47d5d67947dfe7498e36bc849773f608ec5824711f8c36e375a378582eefb57c9c2557

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\fc36797f7054935a6033077612905a0f\Microsoft.VisualStudio.Tools.Office.Excel.AddInAdapter.v9.0.ni.dll

Filesize
42KB

MD5
71d4273e5b77cf01239a5d4f29e064fc

SHA1
e8876dea4e4c4c099e27234742016be3c80d8b62

SHA256
f019899f829731f899a99885fd52fde1fe4a4f6fe3ecf7f7a7cfa78517c00575

SHA512
41fe67cda988c53bd087df6296d1a242cddac688718ea5a5884a72b43e9638538e64d7a59e045c0b4d490496d884cf0ec694ddf7fcb41ae3b8cbc65b7686b180

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\ehiVidCtl\88e20c69254157d91b96eadc9444815d\ehiVidCtl.ni.dll

Filesize
855KB

MD5
7812b0a90d92b4812d4063b89a970c58

SHA1
3c4a789b8d28a5bfa6a6191624e33b8f40e4c4ea

SHA256
897626e6af00e85e627eeaa7f9563b245335242bc6196b36d0072e5b6d45e543

SHA512
634a2395bada9227b1957f2b76ed7e19f12bfc4d71a145d182602a1b6e24d83e220ebfabd602b1995c360e1725a38a89ff58417b0295bb0da9ea35c41c21a6ed

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\stdole\2c6d60b55bbab22515c512080d4b3bae\stdole.ni.dll

Filesize
43KB

MD5
3e72bdd0663c5b2bcd530f74139c83e3

SHA1
66069bcac0207512b9e07320f4fa5934650677d2

SHA256
6a6ac3094130d1affd34aae5ba2bd8c889e2071eb4217a75d72b5560f884e357

SHA512
b0a98db477fccae71b4ebfb8525ed52c10f1e7542f955b307f260e27e0758aa22896683302e34b0237e7e3bba9f5193ddcc7ff255c71fbaa1386988b0ec7d626

Download Submit
C:\Windows\ehome\ehrecvr.exe

Filesize
206KB

MD5
bd13d9bfda70d6ee31a8b2216436c5b5

SHA1
645c65006a9d01465a9703c0d0da18b89e6e6f00

SHA256
3524cb6dd4c78b68b8f53b4c7b39aee8d2983a1faf7009da50f84717ab6c7780

SHA512
624f4e627cc529dd7d77bbeeeef262efa3003229f66425756ef1002b3201c76059d855da8e60885289abad899c475fc7aa5bc5b0981279d07178ebafae40bdce

Download Submit
C:\Windows\ehome\ehsched.exe

Filesize
64KB

MD5
a0ee831b20c0b59a7db8003ae8b11dbd

SHA1
dd503ba84bc68bd6e686cf56583e85048951a896

SHA256
0983030554da0e6c66b13ee50c0358cfa93c2765e0274ec7cef3b2f4a833ec88

SHA512
ff09123194e9ae7d2eb2e7e0f31816ea749412bb22973286a12705ee7108d15b50354f6482856e105819bf3170f19eef5ff558e3dd64a7631ef7899eb8ab91e6

Download Submit
C:\Windows\system32\msiexec.exe

Filesize
87KB

MD5
ba0600a816bb75ee615f7961a5979641

SHA1
a6a64a1e792fcb36a4e33359a8e5b5916dec9ac7

SHA256
9f5bb717790214751bd6533fda06be8cde81fa5d6763f6872a700a0f00ba9a63

SHA512
f9b789623b3593eac47c3613ddb6c7033466d3893d4639f2da77bcf9a8c5a6eb79d7031e8b5514ebec7c2a50df1e3d120320f27b3273d7afc02a00a5430dc404

Download Submit
\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
26KB

MD5
dde1db1e7f947ac70860b30985bf5821

SHA1
1e63e97a062151da804362399afaa92c81569727

SHA256
dadb2214f18643b1c404e1438b1afe37dfa662c530f36795487c7a7e9951331a

SHA512
4544ef049163bd93f21ab0e5e8f2d88a89e262e4170ab70087691921940e5f331bafec3c5809bff6e3afcadc96e0c335df9f50e905df08c48644fa8894495780

Download Submit
\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
13KB

MD5
e4cfd55b39fdf12d62cce2a3ea2452ed

SHA1
b20846e07dc57ef2d7d33b1903e398d4281168dd

SHA256
cdc92faa78c7661671efda2ef65e2123105f63f840d58be4d6c2396f932a0a3f

SHA512
8567de5902ef02ed63a8c1d143e06e3d7c86eb6b7f4123d09fddc1b5e7a2ac9894546455f4f1cdb4521be2aa098011de3fa2f45b079e4fd09f36c52a07040cb1

Download Submit
\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe

Filesize
523KB

MD5
dd9fe5e96edb2b356249857a76c42426

SHA1
2d9268d06073f6ef749aee2bf828ef1428175b8b

SHA256
a12ec9c47ded29674a8ec33e4cc3706129521ad7ce090f807a156885c0a965b0

SHA512
1a1d27139f779ce6219b0a9d17dbfacb08842b51613888d369aa1840bce6b3a6f22729136b903268e481783535e1720816d6bd9c41e4512f4cc1093df9bceb5b

Download Submit
\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe

Filesize
113KB

MD5
ef0b176c39e42feb6ca7e22ec4cd8b41

SHA1
814962e18858a917086d6f53a573d170b7d61629

SHA256
b968aae1c6e6aa8f83d3cf6b4cc170c99c97d2d7081835c6590658de81b18d0e

SHA512
e5c1deed94b64a1e607c8eb3a8ba9f06390962d474af20ad8374027f4b6335c99d8be60f6111149c86a88b8a3dab7055018eaa932a265cace0382d366be2fe4e

Download Submit
\Windows\System32\Locator.exe

Filesize
34KB

MD5
2fae8f5ec7e240add7a90ad6e4a75d18

SHA1
6ef8f9f7f173ee20405fb60178042eaa1ea8a09d

SHA256
d8158486f5096017ad6c1c5faf53e805ec3d10537100b7984f9c636608950f90

SHA512
8101ac75e05c8241318ea929114ac98478bf17afe844246082711b66d06673ae759ba5e03d4d2278c26535ed048adeeb51a6608baa7985a6c0ab6f86795ef72f

Download Submit
\Windows\System32\alg.exe

Filesize
704KB

MD5
c81b283cdca91ddd4546f15a0150e97e

SHA1
531f22636c5db9cf8ef7f67472b33cd8c99244fd

SHA256
338dcef15f75db181eec37088a99bfa40e876fc2d26d445b308926014b7c8718

SHA512
e92dcbda22cd03b9e96589747f4ecd04eaa50abcae17d6f5a73421c164b73af4c30a937606f12474ce1e32a79f5a12a73a6dddbead157830694db3eceecd9461

Download Submit
\Windows\System32\ieetwcollector.exe

Filesize
1KB

MD5
81b082f157b21cd5e8f02ec2d414ec4d

SHA1
da2e2b10c885e2d038d8805178be472c4801879b

SHA256
77c465f297676a88490d3c2cdd477a475b7c33491f9b35826535e965e08a140c

SHA512
f0c9e638298ab2b0c5fb8d362fd512549be7c6f4622e333f49fce248f285a6e36130bf847a2edbae715ca91732da547446cb47857ff8249c0f447716addca34c

Download Submit
\Windows\System32\msdtc.exe

Filesize
107KB

MD5
a5d1caf5a7aca0c23c98f5b88f533459

SHA1
7afa649caec7581d329b53eea1e4cd076d65790a

SHA256
30fca35fe1b09d023969de5c4c6d939ef8762ec02824d7a7d92893f8dcf543a5

SHA512
4ea712d24a33561ac472f631b93a6c597b53b97d0539c8f45ee6ec92f355a07f4ffbe9a1b3a7b88d5e00d1b1c417eb85ea0b94e9c75a48c4f2a39ee048d90566

Download Submit
\Windows\System32\msiexec.exe

Filesize
125KB

MD5
bebba3a937b863bc751e4bb82f8dff79

SHA1
744eb5654840b9a3301d3e08ffd42df552ab22dd

SHA256
73d8a01bb392b0c3ad980a8b78c843a37145c210d2aa133b016df6ea5e3cb543

SHA512
8292b4f2b7bb651fa22816c14f4a11bf3daf25dbc7a96ced8d6c0cefa4c02274efe885cdc46c2ee01e3aede1b8b55f63c55d5d26be2acaaed5c08fd1c18e4914

Download Submit
\Windows\System32\msiexec.exe

Filesize
134KB

MD5
95c4f95d44d7bd25e553fb79eaf5dafa

SHA1
e18496f625ae83ef08be023c4c8a0416b1003b50

SHA256
bde0fa6c3691474eadd4d3999e02149824e8f009adfbe38c556ac6fe0155e67c

SHA512
8e049cda7601a3e2d9b66d5afde6b0efce1a978c8c8dc47e050028780ed81865a5dffc58d2e9a1200358bcdf2cea9670288a5f18539bc9c8511e92d45e065f92

Download Submit
\Windows\System32\snmptrap.exe

Filesize
50KB

MD5
1b19ed7ce4f99c6f4d8f7f5e299deaed

SHA1
d8abf339d42870e6f0191d76d0f3294fcbdf0ce5

SHA256
6001217e3369a4e7e88454c2d8d36b2bd1872a307ccb3c7072d1a4874a989258

SHA512
27e342a9bb2e2e5e62fd10ec3206bf5a09e5d4154baa4f2c3bbae4519b02aacfc90e6963e0d54cfbe50afeae6ea3a004d671c42da1c7cb7bed96a5b3e3c85fe0

Download Submit
\Windows\System32\wbem\WmiApSrv.exe

Filesize
32KB

MD5
7f344f6932a1468cd250f7d1d13a1171

SHA1
a627a6b5d4715043efe394acfd13e694ae2530b9

SHA256
7dd90d3083cd3751543b3101f0e25c4e91393f22956abf0b814a5a147163ab22

SHA512
dcdb92c34408dc1f4c7fd1eb2b18b21e461a8c0bd39a8e53d9824ee8ab73aee6d14432bf434fb66bb756344fc02a424def87fb0aff9af272eb42151176f84fa8

Download Submit
\Windows\System32\wbengine.exe

Filesize
70KB

MD5
2b00d2cfc2e8f33363f2d722ce556fce

SHA1
8b9f14dc887b5e52370ffc4a29aee0eeaec8d28d

SHA256
2f62c4550b032a3faf5ead3160dfe648539de729fbb399ae846a86ac51ef8cf6

SHA512
05aa73e238877a057329ce3713c3841f8a1a703c415ff99695847c9e76b2adeaaf9ac180c31ac7353e8cccc9e2c6cf3bc488355e0a64a87791dde499eecca6cf

Download Submit
\Windows\ehome\ehrecvr.exe

Filesize
111KB

MD5
3882f705db9d446325c80b5663704363

SHA1
3ec4acdb2bcd87530f0365c206257de7366c7721

SHA256
b79bfc5bac367673089598cbba1df2211a2509df1fc4c323beca58cc800e0049

SHA512
e6d4a71ed5479c33e264f85f601ee5e8764118b6b600941343ee7f8e8ae04621fb7f13b47b77669af4a2567bf515f32788addb5f83530acdd098c19bd58a11bc

Download Submit
\Windows\ehome\ehsched.exe

Filesize
63KB

MD5
95df43978bbe797c9b40c7ef5dacc102

SHA1
9c95173e5043af6f3ee3d710eb37e2f35f993af1

SHA256
1ef082cd27e8e6607a0c175c940925e727bb48fb42fa7205ab564df121f10d48

SHA512
621ad345c430c96348f8b6add78903f3c61de2f824fb9963d1d6997f551cc977b14487c51d8ecc497650ac9b27589af33694c78509751c930c7a7fd91faa75d7

Download Submit
memory/560-147-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/560-153-0x00000000002E0000-0x0000000000340000-memory.dmp

Filesize
384KB

Download
memory/560-214-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/1120-228-0x000007FEF45D0000-0x000007FEF4F6D000-memory.dmp

Filesize
9.6MB

Download
memory/1120-231-0x0000000000E30000-0x0000000000EB0000-memory.dmp

Filesize
512KB

Download
memory/1120-170-0x000007FEF45D0000-0x000007FEF4F6D000-memory.dmp

Filesize
9.6MB

Download
memory/1120-168-0x0000000000E30000-0x0000000000EB0000-memory.dmp

Filesize
512KB

Download
memory/1120-234-0x000007FEF45D0000-0x000007FEF4F6D000-memory.dmp

Filesize
9.6MB

Download
memory/1120-266-0x0000000000E30000-0x0000000000EB0000-memory.dmp

Filesize
512KB

Download
memory/1120-167-0x000007FEF45D0000-0x000007FEF4F6D000-memory.dmp

Filesize
9.6MB

Download
memory/1120-191-0x0000000000E30000-0x0000000000EB0000-memory.dmp

Filesize
512KB

Download
memory/1188-97-0x0000000000410000-0x0000000000470000-memory.dmp

Filesize
384KB

Download
memory/1188-99-0x0000000140000000-0x00000001401A3000-memory.dmp

Filesize
1.6MB

Download
memory/1188-105-0x0000000000410000-0x0000000000470000-memory.dmp

Filesize
384KB

Download
memory/1188-176-0x0000000140000000-0x00000001401A3000-memory.dmp

Filesize
1.6MB

Download
memory/1188-106-0x0000000000410000-0x0000000000470000-memory.dmp

Filesize
384KB

Download
memory/1564-281-0x0000000000250000-0x00000000002B7000-memory.dmp

Filesize
412KB

Download
memory/1564-275-0x0000000001000000-0x000000000118B000-memory.dmp

Filesize
1.5MB

Download
memory/1592-139-0x0000000001A30000-0x0000000001A31000-memory.dmp

Filesize
4KB

Download
memory/1592-129-0x0000000000D60000-0x0000000000D70000-memory.dmp

Filesize
64KB

Download
memory/1592-199-0x0000000001A30000-0x0000000001A31000-memory.dmp

Filesize
4KB

Download
memory/1592-115-0x0000000000A60000-0x0000000000AC0000-memory.dmp

Filesize
384KB

Download
memory/1592-188-0x0000000140000000-0x000000014013C000-memory.dmp

Filesize
1.2MB

Download
memory/1592-131-0x0000000000D70000-0x0000000000D80000-memory.dmp

Filesize
64KB

Download
memory/1592-120-0x0000000140000000-0x000000014013C000-memory.dmp

Filesize
1.2MB

Download
memory/1592-123-0x0000000000A60000-0x0000000000AC0000-memory.dmp

Filesize
384KB

Download
memory/1616-296-0x0000000000410000-0x0000000000470000-memory.dmp

Filesize
384KB

Download
memory/1616-288-0x0000000100000000-0x000000010018A000-memory.dmp

Filesize
1.5MB

Download
memory/1660-247-0x000000002E000000-0x000000002E1AA000-memory.dmp

Filesize
1.7MB

Download
memory/1660-255-0x0000000000230000-0x0000000000297000-memory.dmp

Filesize
412KB

Download
memory/2156-190-0x0000000140000000-0x00000001401BF000-memory.dmp

Filesize
1.7MB

Download
memory/2156-201-0x0000000000BF0000-0x0000000000C50000-memory.dmp

Filesize
384KB

Download
memory/2156-220-0x0000000000BF0000-0x0000000000C50000-memory.dmp

Filesize
384KB

Download
memory/2156-218-0x0000000140000000-0x00000001401BF000-memory.dmp

Filesize
1.7MB

Download
memory/2176-267-0x0000000000160000-0x00000000001C0000-memory.dmp

Filesize
384KB

Download
memory/2176-277-0x0000000073E98000-0x0000000073EAD000-memory.dmp

Filesize
84KB

Download
memory/2176-259-0x0000000100000000-0x0000000100542000-memory.dmp

Filesize
5.3MB

Download
memory/2176-270-0x0000000100000000-0x0000000100542000-memory.dmp

Filesize
5.3MB

Download
memory/2224-305-0x0000000100000000-0x000000010018B000-memory.dmp

Filesize
1.5MB

Download
memory/2256-174-0x0000000140000000-0x00000001401A3000-memory.dmp

Filesize
1.6MB

Download
memory/2256-171-0x0000000000230000-0x0000000000290000-memory.dmp

Filesize
384KB

Download
memory/2364-39-0x00000000001D0000-0x0000000000230000-memory.dmp

Filesize
384KB

Download
memory/2364-7-0x00000000001D0000-0x0000000000230000-memory.dmp

Filesize
384KB

Download
memory/2364-0-0x00000000001D0000-0x0000000000230000-memory.dmp

Filesize
384KB

Download
memory/2364-12-0x0000000002680000-0x0000000002AB1000-memory.dmp

Filesize
4.2MB

Download
memory/2364-45-0x0000000140000000-0x0000000140431000-memory.dmp

Filesize
4.2MB

Download
memory/2364-2-0x0000000140000000-0x0000000140431000-memory.dmp

Filesize
4.2MB

Download
memory/2400-20-0x00000000004C0000-0x0000000000520000-memory.dmp

Filesize
384KB

Download
memory/2400-11-0x00000000004C0000-0x0000000000520000-memory.dmp

Filesize
384KB

Download
memory/2400-14-0x0000000140000000-0x0000000140431000-memory.dmp

Filesize
4.2MB

Download
memory/2400-98-0x0000000140000000-0x0000000140431000-memory.dmp

Filesize
4.2MB

Download
memory/2448-156-0x0000000000400000-0x000000000059D000-memory.dmp

Filesize
1.6MB

Download
memory/2448-79-0x0000000000400000-0x000000000059D000-memory.dmp

Filesize
1.6MB

Download
memory/2448-78-0x00000000002A0000-0x0000000000307000-memory.dmp

Filesize
412KB

Download
memory/2448-84-0x00000000002A0000-0x0000000000307000-memory.dmp

Filesize
412KB

Download
memory/2464-55-0x0000000000680000-0x00000000006E7000-memory.dmp

Filesize
412KB

Download
memory/2464-95-0x0000000010000000-0x0000000010194000-memory.dmp

Filesize
1.6MB

Download
memory/2464-54-0x0000000010000000-0x0000000010194000-memory.dmp

Filesize
1.6MB

Download
memory/2464-60-0x0000000000680000-0x00000000006E7000-memory.dmp

Filesize
412KB

Download
memory/2596-128-0x0000000140000000-0x0000000140192000-memory.dmp

Filesize
1.6MB

Download
memory/2596-51-0x0000000140000000-0x0000000140192000-memory.dmp

Filesize
1.6MB

Download
memory/2616-294-0x00000000005B0000-0x0000000000757000-memory.dmp

Filesize
1.7MB

Download
memory/2616-230-0x0000000100000000-0x00000001001A7000-memory.dmp

Filesize
1.7MB

Download
memory/2616-244-0x0000000000AC0000-0x0000000000B20000-memory.dmp

Filesize
384KB

Download
memory/2616-287-0x0000000100000000-0x00000001001A7000-memory.dmp

Filesize
1.7MB

Download
memory/2616-235-0x00000000005B0000-0x0000000000757000-memory.dmp

Filesize
1.7MB

Download
memory/2660-30-0x0000000000900000-0x0000000000960000-memory.dmp

Filesize
384KB

Download
memory/2660-40-0x0000000000900000-0x0000000000960000-memory.dmp

Filesize
384KB

Download
memory/2660-118-0x0000000100000000-0x0000000100199000-memory.dmp

Filesize
1.6MB

Download
memory/2660-29-0x0000000100000000-0x0000000100199000-memory.dmp

Filesize
1.6MB

Download
memory/2700-194-0x0000000140000000-0x00000001401A7000-memory.dmp

Filesize
1.7MB

Download
memory/2700-141-0x0000000000180000-0x00000000001E0000-memory.dmp

Filesize
384KB

Download
memory/2700-138-0x0000000140000000-0x00000001401A7000-memory.dmp

Filesize
1.7MB

Download
memory/2700-130-0x0000000000180000-0x00000000001E0000-memory.dmp

Filesize
384KB

Download
memory/2856-215-0x0000000000840000-0x00000000008A0000-memory.dmp

Filesize
384KB

Download
memory/2856-207-0x0000000140000000-0x00000001401AB000-memory.dmp

Filesize
1.7MB

Download
memory/2856-273-0x0000000140000000-0x00000001401AB000-memory.dmp

Filesize
1.7MB

Download
memory/2948-242-0x000000002E000000-0x000000002FE1E000-memory.dmp

Filesize
30.1MB

Download
memory/2948-182-0x000000002E000000-0x000000002FE1E000-memory.dmp

Filesize
30.1MB

Download
memory/2948-184-0x00000000002F0000-0x0000000000357000-memory.dmp

Filesize
412KB

Download
memory/3044-68-0x0000000010000000-0x000000001019C000-memory.dmp

Filesize
1.6MB

Download